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Purpose 


1. To update the board on Information Assurance work and to seek their 
endorsement of the work underway and the planned future work. The board is 
asked to note the paper and agree the next steps. 


Background 


2. Over the last nine months, taking note of the feedback received during the 
consultation on the proposed changes to the Local Electoral Administration 
and Registration Services Scotland Act 2006 (LEARS), we have been working 
with a range of partners to carry out a due diligence review of the assurance 
arrangements we have in place around NHSCR. 


3. This has fallen into three main blocks of work; Privacy Impact Assessments, 
Data Sharing Arrangements and Governance. 


General Progress 


4. Overall progress has been slow but steady in this area. External factors have 
meant progress has been slower than we had planned but we have 
maintained headway. 


Progress Report and Next Steps 


5. Privacy Impact Assessment — The NHSCR pre-dates the introduction of 
Privacy Impact Assessments so none have been carried out for NHSCR until 
now. We decided to use the LEARS consultation as an opportunity to collect 
information to complete Privacy Impact Assessments (PIAs) for the new 
proposals. We have started with the Data Quality Activity and Tracing. These 
are being drafted and will be shared with the Information Commissioner’s 
Office (ICO) for informal feedback. We will then use these as a basis for 
developing PIAs for all NHSCR activity. 


6. Data Sharing Arrangements — We have reviewed all data sharing into and out 
of the NHSCR. As arrangements for data sharing with a wide range of 
partners have evolved over time there is a range of approaches in place 
describing these arrangements. We have been working on reviewing, 
updating and redrafting agreements with the aim of creating a coherent set of 
agreements, based on current best practice, that transparently describe all 
sharing involving NHSCR. Given the number of partners involved this has 
been a time-consuming task but good progress has been made. 
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. Governance — We have clarified the governance arrangements around the 


NHSCR confirming the key roles and groups involved in this, including 
producing the refreshed Terms of Reference for this group. 


. Key roles and groups are:- 


Data Controller — Registrar General (RG) 

Information Asset Owner — NRS Head of Data Resources 

Operational Management — NHSCR team 

NHSCR Governance Board — Advise RG on strategic NHSCR matters 
Information Assurance and Security Management Forum — Advise 
Information Services (IS) on assurance matters relating to myaccount 
including use of NHSCR 

e Public Benefit and Privacy Panel — Provides advice on medical research 
proposals relating to NHSCR 


